I have a normal user (sites:users) and the usual http user (wwwrun:www).
I’m hosting several sites and I want to be able to upload stuff via ftp, so I’m using the “sites” home (/home/sites) to keep the sites I’m hosting.
Giving read permissions to all inside /home/sites makes it accessible and readable to the wwwrun user.
Problems come when I need to upload something. The easy way is to give 777 permissions to the folder that’s going to receive the file, but I don’t feel comfortable at all with that.
What do you recommend? Is there any group configuration that could help me (like adding “sites” to the “www” group)? Or any other configuration at all that might be according the the best practices?
Make the site owned by the user logged in via ftp. Apache only needs the files to be readable and the directories to be readable and searchable so make sure that the ftp upload sets the world permissions accordingly. The only exceptions are directories that are used for uploads via the website, those must be writable by the wwwrun user or www group. Your webapp doco will indicate which directories those are.
Thank you for your reply!
How do I make a folder that belongs to the user writable by wwwrun or the www group without making it’s permissions 777?
Make those owned by wwwrun. It’s unlikely that the http upload directories will also be used for ftp uploads. Normally http uploads are used by users for things like uploading attachments to forum posts, while ftp uploads are used by developers to update things like images or HTML pages.
In the unlikely case that the directory has to be writable both by ftp and http, then make the owner the ftp account, the group www and group writable. The permission would be say, 775.
By the way I notice you’re from Portugal. I had a nice time there for a couple of weeks in 2009, mostly in the north, Coimbra, Porto, Viana do Castello. Also spent a few days in Madeira.
Boa sorte e até logo.
The northern part and the islands are in deed beautiful. As the rest of the country :).
Hope you come back soon.